Wayne Smith CITP FBCS MSc, IT and Information Security Director at Birmingham Airport talks to Johanna Hamilton AMBCS about the benefits of taking more tech in-house, and why it’s a good idea if everything isn’t connected.

A career in IT at Birmingham Airport, spanning more than three decades has seen BCS Fellow Wayne Smith through a chain of advancements, culminating in a recent promotion to Vice Chair of the Cyber Task Force at ACI Europe (a trade association promoting professional excellence in airport management).

Tell me about your responsibilities at Birmingham Airport?

I’m responsible for two divisions, normal business IT and operational systems - which includes three critical system criteria - getting passengers onto planes, bags onto planes and planes off the ground. The passengers are processed through the check-in system and the security systems.

Then, for the baggage, there are a number of disparate systems including SCADA and the Baggage ICS. The Baggage Reconciliation System (BRS) that was introduced following the Lockerbie disaster ensures that if you don't get on a plane and you've checked your bag in, your bag is off-loaded before the plane departs.

Lastly, there’s the airport management system, we call them AODB's, Airport Operational Databases. That's all about managing the aircraft as they come into the airport, how and where you park them, what services they require, how we turn them around and how we get them back into the sky.

I also have a newer, Information Security team, mainly based around handling the policy and the regulatory side of information and cyber security.

So, do you have a tech background, or more operational management?

I’ve grown up through the IT side. I was a developer and then I went into support and then into business analysis and then project management and system management. In those roles, you have to work with lots of departments, so you build good relationships and have a greater insight into how everything works. I think that stands you in good stead then for being promoted to management and then becoming a director where you discuss a wide variety of things at the board level of which only a tiny fraction include IT.

What are the unique challenges within your sector?

Lots of physical challenges and lots of challenges around perception as well. Airports are seen as a high-profile target for cyber-attacks because, if something happens, it ends up in the newspapers very quickly. In some countries, air travel is a part of government, however, in the UK they're just a collection of small to medium sized privately-owned companies. The ‘bad guys’ continue to see us as some sort of pseudo-government organisation, so in that respect, we then have lots of people trying to disrupt our services.

Our ‘bad actors’ vary significantly from hacktivists through to organised crime to nation states. There are also the generic threats that are out there which are not targeted at anyone.

If a ransomware attack hits a small-to-medium sized company in the centre of Birmingham, that provides a service or creates widgets, no one would probably know. If it hits an airport, then the flight monitors suddenly start displaying the ransomware screen then a) the public know very quickly and then b) the press knows very quickly. It becomes very high profile very quickly and that's probably why airports are targets.

The ‘attack’ doesn’t even need to be anything more than taking over a display board. If the bad guys can get a message on our flights display monitors to say, ‘all flights are cancelled,’ or, ‘this airport is controlled by a terrorist group,’ that in itself would cause enough panic and disruption - even though the systems themselves could all be completely safe and all be completely normal running behind the scenes.

The entertainment system on an aircraft, which is distinct from the flight controls, could be used to host a terror message and in-flight has the potential to cause terrible panic.

How prevalent are attacks on airports?

We have lots. We experience a lot of the ‘drive-by’ (untargeted) generic attacks which are a fact of life in a digital world. We see phishing attacks that are linked to malware and linked to ransomware on a daily basis - sometimes multiple times per day, which equate to hundreds and thousands of times per day across the entire company.

In addition to that, probably about once a month or once every other month, we have targeted attacks. It tends to happen overnight, where we’ll have a two to three hour sustained attack trying to get into known vulnerabilities in our systems. It can be quite intense for a couple of hours and then it just dissipates. We take steps to find out where the attack is coming from, but the actors can disguise the route starting point so it's very difficult for us to attribute it precisely to anyone.

If these attacks occur with predictable regularity, what do you do to scupper their attack attempts?

We do the basics well. It’s a case of having the base level of patching and maintenance in place; antivirus and firewalls patched as well as checking that the rules are up to date, audited and current. We've seen attacks over Christmas Day and Boxing Day in the past as well, when actors assume people aren't going to be there. That said, one of the improvements I introduced when I was in my previous role of head of IT was to change from a 9 to 5 with an ‘on-call system’ IT operation to being onsite 24/7. That's made a huge difference.

The airport contains a lot of information technology and operational technology. Historically, operational technology is built with availability in mind and not security. So, talk to us about the conflict between availability and security in an airport?

When I became head of IT back in 2008, I wanted all critical systems on the corporate network that weren’t on there already - including traditional engineering systems, like the baggage system. Historically in some organisations, these have been networked, and even connected to the internet, with little involvement from IT. This clearly could introduce vulnerabilities into a critical system.

So, all of those systems are now on our corporate network. Any extra egress points to the outside world have been removed. Everything goes through the corporate strengthened firewalls. Likewise, the servers that were historically dispersed around the baggage system, are now protected in the corporate data centres. So, all the operational technology systems are treated as our other systems are now both in terms of network protection and cyber protection. The engineering systems may not have been specifically designed with cyber security in mind, but we’re now having the conversations with suppliers to ensure the next generation do.

Birmingham Airport is one of the critical national infrastructure airports, so we have to adhere to the NIS directive. Part of that, is the supply chain assurance and that is giving us the mechanism for having those conversations with our suppliers, certainly our tier one suppliers, to start looking at the cyber security of their products before they even get to us. We're also looking at a programme of penetration testing those devices. In the past, we may have relied on the perimeter being secure and people not getting past that. We're now looking at each device individually on the network to check the security of all devices such as metal detectors, baggage scanners and check-in systems.

Do you think having third party suppliers increases the vulnerability of the airport?

Any other party you bring in, is going to increase the risk - it’s how you manage that risk. The issue we have in the aviation world is that a very small number of suppliers supply the equipment and systems. So, if there are only two or three and you want to distinguish one, they're probably aware that other airports will be looking at price or functionality, rather than cyber security. So, it's very hard to drive that cyber security standard up when the market place is so narrow.

An excellent example is the check-in system. Here, we install it and run it and then lease it back to the airlines on a commercial model. At other airports, the airlines will contract directly with the supplier and do it themselves. Now with the best will in the world, the station managers of airlines have other expertise and focus which means that cybersecurity may not be high on their agenda. At Birmingham, that’s not an issue as all critical systems are managed centrally by the airport. Additionally, some years ago, we also insourced air traffic control and the cyber security aspects of air traffic control fall under my responsibility as well.

Are you responsible across the whole of IT and OT, or are there supplier responsibilities for securing different pieces of hardware?

My responsibility is across everything but even if you buy the securest piece of equipment you can implement it in an insecure way. And you can implement an insecure piece of equipment in the most secure way as well. So, you can't rely on suppliers to deliver the safest equipment. We've got to rely on ourselves to make sure they are implemented in the most secure way possible.

How important is incident response in airport security?

Very, because with the best defences in the world it's going to happen one day. Whether that's a malicious attack or an accidental event, or because someone is tired or having a bad day - people are often the weakest link in the chain. At some point in the future there is going to be an incident.

We have a cyber security incident response policy and numerous runbooks that will allow us to test different scenarios. We experienced a non-cyber related issue a couple of years ago and it was a great opportunity to test our plans. We sent office-based staff over to the terminal in yellow jackets with whiteboards who were writing flight details up. That type of incident will happen at some point and I’d like to think we’re prepared.

Tell me about analytics and how do you prioritise when there’s so much data?

We've always invested in tools whereby we can tune the alerts. We don't have a large team in IT or Information Security, so we have had to invest in tools wisely that do a lot of the filtering before it gets to us. I'm quite keen on some of the latest AI and ML techniques that only alert us to real exceptions that are outside of our normal operating parameters. Having an AI engine do the donkey work and more skilled people to respond to the high priority incidents seems to be a better way to go.

How important is cyber security awareness training within your environment?

When I took on my directorship, I wanted to roll out information security training and GDPR training across the board. So, with the backing of the board, this is now mandatory. If training is not completed within a certain window, your account is locked out. Even if you’re the CEO, the same rule applies to everyone.

Next year we’re changing to video-based training of 2-3 minutes per month to keep the training fresh and front of mind. If you fall behind by say two months, again, your account will be locked out.

We also do phishing training on an ongoing basis. If you click on the link, you're taken to another little training video to tell you what you did wrong and why.

Is there anything that worries you about your industry and cyber security?

The disruption element. We don't manufacture anything, so we don't have large amounts of intellectual property or plans that are worth stealing. We don't have lots of customer data because airline tickets and parking are sold through third parties - but what we do know is that people will try and disrupt us - and one of the biggest types of disruption is ransomware.

We've gone to great lengths to segregate our systems and networks to try and mitigate any attack of that nature. We have systems in place to spot it and block it. That's the biggest worry. That or something similar that can quickly spread and cause the organisation to grind to a halt.

Advice for students...

I've been running an apprenticeship programme under the modern apprenticeship scheme for a number of years. In fact, our first ever apprentice has been here for eight years and is now a senior IT support officer within the IT team. I also like to refresh the scheme every two years and have just started an apprenticeship programme for information security.

I would advise anyone to take every opportunity they can to either learn about new things, attend any workshops or conferences. Take part in all training including non-IT training such as supervisory training or presentation techniques because you never know when that's going to come in handy. Plus, it’s great for your CV if anything happens and you need it for other places.

My latest apprentice is like a sponge and just soaks up information and wants more. I believe that getting into Information Security at this time, when it's still relatively new and teams are growing and skills are growing, that I can only see more and more demand in the future. I think that's a good thing for young people.

Advice for peers...

I would say my approach has always been to do the basics well, get that sorted. Don't try and baffle the board with three-letter acronyms and tech-speak and wherever you can, translate an idea into a story that makes sense to them. I often use the front door of your house as an analogy for the network and ask, ‘would you leave the front door open? Okay, what if you left a window open?’ Stakeholders can relate to stories in their own minds - and it helps to get these complex technical issues over to them in a way that's meaningful and understandable.

Before now, I've had to use the analogy of the railway system, where the stations represent network switches and the people represent the data on the network, and they get off the trains onto the stations and then they get onto another train that comes along to try and explain how networks work and the network traffic flow.

I would also say, be honest with board members, don't try and say a project was brilliant when it clearly wasn’t and similarly, don’t try and scaremonger when a situation is not that serious. Look at what the real risks are for the business and translate it into pounds, shillings and pence - that's the language of the boardroom. Rather than telling them about a system being out for six hours, tell them what the cost is to the business.